Subprocessor List

CostLoop uses the following third-party service providers (subprocessors) to deliver the service. As a data controller committed to global privacy compliance — including GDPR, UK GDPR, FADP, PIPL, APPI, PIPA, PDPA, and DPDP — we ensure that each subprocessor provides adequate data protection guarantees, either by operating within the European Economic Area (EEA) or by relying on appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs) and equivalent instruments recognised under other applicable regulations.

All subprocessors are contractually required to process your data only on our instructions and for the purposes described below.

Subprocessor	Purpose	Data processed	Location
Stripe, Inc.	Payment processing	Billing information, payment card data	United States SCCs
Supabase, Inc.	Database, authentication, storage	Account data, subscription data	European Union
Resend, Inc.	Transactional email delivery	Email address, email content	United States SCCs
Vercel, Inc.	Web hosting and CDN	IP address, request logs	United States SCCs

Note on Standard Contractual Clauses (SCCs): SCCs are a legal mechanism approved by the European Commission that allows personal data to be lawfully transferred from the EU/EEA to countries that do not have an adequacy decision (such as the United States). When we say a subprocessor relies on SCCs, it means we have data processing agreements in place that incorporate these clauses, providing equivalent protections for your data.

Changes to This List

We will update this page if we add or remove subprocessors. Where adding a new subprocessor would represent a material change to how your data is processed, we will notify you in advance in accordance with our Privacy Policy.

Questions

If you have questions about our subprocessors or data processing arrangements, please contact us at hello@costloop.app.

For more information about how we protect your data, see our Privacy Policy.